A monitoring system for embedded devices widely distributed

Today, the technological world is increasingly affected by cyber-attacks and cybercrime, and, at the same time, it is proliferating. Consequently, some ways of protection become essential. As a result, one of the most critical countermeasures is the detection of these cyber-attacks. Each attack leaves traces in the target system in different forms. In this respect, the purpose of this thesis is, firstly, a deeper analysis of various monitoring and logging techniques, the source information they process, and the solutions which better can detect most attacks, second allowing a better comprehension of what is going on through the creation of security alerts. Moreover, detection needs to be optimized to avoid false positives, i.e., alerts for harmless and not anomalous events. Hence, this thesis also proposes an alert correlation, an additional technique that permits the improvement of accuracy, correctness, and efficiency of the security logging process. For this purpose, various monitoring and logging tools have been compared based on tailored discriminants to find the solution that best fits the proposed case study, a platform with various embedded devices spread worldwide that need to be monitored from the security point of view. Once the chosen solution has been described in a detailed way, it is implemented in the proposed platform, considering a list of suitable events to monitor the case study. For the completeness of the detection, various adjustments have been created without significant degradation of performance following the chosen solution's semantics. Several tests have been carried out to validate the tool's effectiveness: simulated cyber-attacks, tests for information gathering capabilities, and performance impact tests. The performed tests highlighted the excellent capabilities of the chosen product, demonstrating how a monitoring and logging tool is one of the most valuable lines of defense against cyber-attacks. However, to improve the defense capabilities, introducing another product that permits correlating the outputs of the logging tool is desirable, without underestimating the use of constant vigilance about new vulnerabilities and attack techniques employed by attackers.